Virus and Spyware Removal Guides, uninstall instructions

What is the "Coca Cola" scam email?

"Coca Cola email virus" refers to a spam campaign proliferating GuLoader malware. The term "spam campaign" defines a mass-scale operation during which thousands of scam emails are sent. The messages distributed through this campaign are disguised as Request for proposals (RFPs) from Coca Cola.

Note that these emails are in no way associated with The Coca-Cola Company. The scam messages have infectious files attached to them, which contain GuLoader malware. This malicious program is designed to infect systems with additional malware (e.g., Trojans, ransomware, cryptominers, etc.).

What is Tangeng?

Tangeng is a type of malware that encrypts victims' files and then demands payment to unlock (decrypt) them. I.e., it ensures that victims cannot access or use files unless the ransom is paid.

Tangeng also renames encrypted files by appending the ".tangeng" extension to filenames. For example, "1.jpg" is renamed to "1.jpg.tangeng", "2.jpg" to "2.jpg.tangeng", and so on. It also generates ransom messages in "HOW_TO_DECYPHER_FILES.hta" and "HOW_TO_DECYPHER_FILES.txt" files.

Tangeng creates the "HOW_TO_DECYPHER_FILES.txt" file in all folders that contain encrypted data.

Judging by the HTML tags, it can be assumed that ransomware developers either wanted to create HTML files rather than TXT files, or they mistakenly pasted the text from HTA to the TXT.

What is the NoCry ransomware?

Discovered by malware researcher S!Ri, NoCry is a ransomware-type program. It is designed to encrypt data and demand payment for decryption. When NoCry encrypts, files are renamed by appending them with the ".Cry" extension. For example, a file originally named something like "1.jpg" would appear as "1.jpg.Cry", "2.jpg" as "2.jpg.Cry", "3.jpg" as "3.jpg.Cry", and so on. An updated variant of NoCry ransomware appends ".recry" extension.

After the encryption process is complete, ransom messages are created in a pop-up window and "How To Decrypt My Files.html" HTML file. Additionally, this ransomware changes the desktop wallpaper.

What is AnalyzerDivision?

AnalyzerDivision is designed to display advertisements and promote a fake search engine. In this way, the app functions as adware and a browser hijacker, and it might also collect user information.

Adware and other software of this kind is often downloaded and installed by users unintentionally and, for this reason, AnalyzerDivision is categorized as a potentially unwanted application (PUA).

What is SpeedFixTool?

SpeedFixTool is advertised as a simple and powerful tool to scan, clean and optimize computers, however, this program is promoted using dubious methods. Therefore, at least some users download and install SpeedFixTool inadvertently.

Programs that users download and install unintentionally are categrized as potentially unwanted applications (PUAs).

What is DERZKO?

Typically, ransomware is designed to encrypt and rename files (prevent access) and keep them inaccessible unless a ransom is paid. DERZKO renames files by appending the ".DERZKO" extension to filenames. For example, "1.jpg" is renamed to "1.jpg.DERZKO", "2.jpg" to "2.jpg.DERZKO", and so on.

DERZKO also creates the "DERZKO-HELP.txt" file in all folders that contain encrypted files.

Note that DERZKO was discovered by MalwareHunterTeam and belongs to the NEFILIM ransomware family.

What is CoolStreamSearch?

CoolStreamSearch is rogue software categorized as a browser hijacker. After infiltrating systems, CoolStreamSearch makes modifications to browser settings to promote coolstreamsearch.com, a fake search engine. This browser hijacker also has data tracking capabilities, which are employed to collect browsing-related information.

Due to the dubious methods used to proliferate CoolStreamSearch, it is also classified as a Potentially Unwanted Application (PUA).

What is the Lucifer ransomware?

Discovered by MalwareHunterTeam, Lucifer is a malicious program categorized as ransomware. This type of malware is designed to encrypt data and demand payment for decryption. Systems infected with Lucifer ransomware have their files "locked" (rendered inaccessible and useless) and users receive ransom demands to have them "unlocked".

When Lucifer encrypts, all affected files are appended with a unique ID assigned to the victim and the ".lucifer" extension. For example, a file originally named "1.jpg" would appear as something similar to "1.jpg.Id-PYOXTPKBOX.lucifer" following encryption.

After this process is complete, ransom messages within "HELP_DECRYPT_YOUR_FILES.txt" and "HELP_DECRYPT_YOUR_FILES.html" files are created.

What is Javali?

Banking Trojans are malicious programs that, once installed on the victim's computer, create botnets, steal credentials, inject malicious code into web browsers, or steal money. Javali (also known as Ousaban) is a banking Trojan targeting users of financial institutions living in Latin America.

Research shows that this Trojan is distributed using malicious links and attachments in malspam emails. If there is any reason to believe that the Javali Trojan is installed on the operating system, remove it immediately.

What is Searchlee?

Browser hijackers are potentially unwanted applications (PUAs) that change browser settings (to promote fake search engines) and gather browsing data. Searchlee promotes searchlee.com, an untrusted search engine that generates fake results with deceptive ads among them.

This browser hijacker is developed by Linkury Inc., a company that developed another notorious browser hijacker called SafeFinder.